Reuters social media editor charged over Anonymous hack of LA Times

Matthew Keys accused of handing over usernames and passwords to enable defacements.

Matthew Keys, deputy social media editor for Reuters, has been charged with conspiring with members of Anonymous to hack into the website of the Los Angeles Times in December 2010.

Keys, 26, was charged with one count each of conspiracy to transmit information to damage a protected computer, transmitting information to damage a protected computer, and attempted transmission of information to damage a protected computer. The crimes carry sentences of up to ten years and fines of up to $250,000, though any actual sentences are likely to be a small fraction of these.

Keys was a former employee of California television station KTXL Fox 40. Fox 40 and the LA Times are both owned by media conglomerate the Tribune Company. Through his employment, he had credentials to the Tribune Company's content management system (CMS).

The indictment includes a partial IRC transcript which purports to show Keys, under the username AESCracked, chatting with an Anonymous member calling himself "sharpie" in the channel #internetfeds. Keys identified himself as a former Tribune employee, and is alleged to have provided a username and password for the Tribune CMS that allowed hackers to modify stories posted on latimes.com. These credentials were subsequently used to deface one story for approximately 30 minutes.

Court documents show that notorious hacker—and, later, FBI informant—Hector "Sabu" Monsegur participated in the IRC discussion. Sabu outed Keys as being involved in the latimes.com hack in March 2011, a couple of months prior to his arrest and co-operation with law enforcement.

While I agree the punishment often outweighs the crime in these situations. I am tired of the disingenuous assertions that the crime caused no harm.

> By taking down a site, add revenue for the time is lost and sales could potentially be lost also.> The down-time could trigger compensation clauses in contracts.> Down-time requires man-hours from the IT department to restore service.> Finally there is a possibility for damage to a corporate/brand image.

This harm could be considered minimal (or a cost of doing business), but it is an outright lie to claim no harm occurs. On the other hand, you know the other side will over-state damages to the maximum extent they believe they can get away with.

Will this be Aaron Shwartz part deux? Seriously for a website defacing for 30 minutes where literally no harm came to pass, a 250k fine and 10 years in prison. These laws are outrageous.

I could understand a fine of a few grand.

I would be surprised were he to get more than a few grand in fines, court costs, probation, and probably time served, if any. Of course, his legal fees will likely be more than what he is fined, but that's America for you. Maximum sentences are rarely given out for situations like this, although it's not impossible.

It takes a lot of brain to compromise a computer. The authorities are just afraid of smart people. That's the way it's always been throughout history.

It also takes much more effort and planning to deface a website. So they are not at all the same thing. A 2 year old can deface a poster. But put a 2 year old in front of a computer and say, "deface a website" and see how far the 2 year old gets. Most likely this guy is not going to see anywhere near the max unless he is an idiot in front of the judge.

Will this be Aaron Shwartz part deux? Seriously for a website defacing for 30 minutes where literally no harm came to pass, a 250k fine and 10 years in prison. These laws are outrageous.

I could understand a fine of a few grand.

It's too bad Anonymous took down the sentencing guidelines site. I suspect that that's not too dissimilar to what they recommend.

Update: Oh it's up (though it looks like it's broken in places, perhaps it's vulnerable to SQLi). I believe that this would be a level 5 or 6 offense. With no criminal history, the guideline is for 0-6 months.

It's quite different. The number of people who see it is different, particularly since a hacked website often sees a surge in traffic as people say "haha, check out what happened to them". (And that surge in traffic has bandwidth costs and can possibly bring down servers. It certainly won't bring in net revenue.) It reflects poorly on the company, which isn't true for a poster or billboard; no one is going to fault you for failing to secure a sign by the highway. And the direct costs (correcting the intrusion is tiny compared to identifying how it occurred, plugging any holes and spinning it for PR) are much larger than "go throw up a new poster on that wall".

Not to mention the law isn't about defacing a website, it's about illegal access. Hence why humans are part of the sentencing; they'll recognize that this isn't a serious enough offense to warrant a decade in prison.

On the other hand defacing a website is usually easier to clean up and repair than defacing a billboard which requires at the minimum, someone to physically climb up there with some paint and a brush to clean up the mess. A defaced website can be taken offline and repaired in a fraction of the time it takes to repair a billboard.

That doesn't excuse either as a crime but the criminal cost of one is outrageously disproportionate to the other. Much like stealing a dvd from a store isn't as bad as if you simply downloaded it off the internet. Electronic crimes are excessive to their physical counterparts.

[qpte]Why is a punishment for defacing a web site more stiff than that?![/quote]The defacement of the web site is the symptom. The actual crime is in gaining access to the network. From there, anything can be compromised, and the web site is simply the smallest thing that can be affected. There are other much larger, and more punitive, actions that must be protected and investigated.

For instance, if the web site is compromised, and the web site in any way handles credit card data (there is a subscribe link at the top of the latimes.com site), that entire system, top to bottom - which most likely includes not only the servers in the web farm, but also the database servers, the payment servers, the logging servers, and workstations of any employees who touched the systems, etc. - to ensure that credit card data was not accessed, and if it was, what data was accessed and who needs to be notified of the data compromise. All hosts are checked to ensure no trojans were left behind, which often is best done by rebuilding from scratch. And of course, whatever compromise was used (even a known password) has to be fixed.

Even without a further compromise than the single article on the website, the cost of the investigation and remediation could be well over $10,000 simply to to make sure that's all that happened.

Monetary costs aside, if you've ever been the guy involved in the forensic investigation and cleanup from one of these attacks, you know what kind of a douche move this kid made. God damn, don't screw over your old co-workers for "rep" with an anonymous person online. Idiot.

On the other hand defacing a website is usually easier to clean up and repair than defacing a billboard which requires at the minimum, someone to physically climb up there with some paint and a brush to clean up the mess. A defaced website can be taken offline and repaired in a fraction of the time it takes to repair a billboard.

That doesn't excuse either as a crime but the criminal cost of one is outrageously disproportionate to the other. Much like stealing a dvd from a store isn't as bad as if you simply downloaded it off the internet. Electronic crimes are excessive to their physical counterparts.

Easier to clean up assuming they haven't dropped a bunch of malware or installed some kind of back door/remote access program.

And you know, companies don't like spending profits on stupid things like proper security... which is what got them into trouble in the first place. :>

Yep, throwing money at security is sure to eliminate attacks. Security is a process, not and end result, and it is a constant effort to stay ahead of the bad guys. You simply cannot pay more and be secure. You're going to be cracked if you're a big enough target and you're around long enough. That's *why* even companies with good security have computer forensic experts on staff or retainer for the inevitable hack, and have constant audits to point out weak spots that need shored up.

In this case, a user and password to a CMS were given out. The vulnerability was not some sort of SQL injection attack, the intruders were given the keys. Social engineering is the most difficult thing to secure, and there is absolutely no money that can be thrown at it to solve the problem. Their problem here was hiring a 26 year old who was willing to give out the username and password. There was probably a problem with not changing passwords frequently enough, but having accounts that are open to outsiders, like contract journalists and "social media experts" means there's always going to be an account that can be exploited.

Personally? I'd sentence that to community service and a few thousand dollars fine. It was wrong, to be sure, but it was essentially just a prank.

"Maximum sentences" are almost never given out. There's a maximum sentence of ten days in prison for smoking on the bus here, but I can't image the extreme effort you'd have to go through to provoke that!

Generation Douche Bag should be the term for the 20 somethings we see populating these stories all the time. They are literally a group of people who think they can do whatever the hell they want in every facet of life. They are egotistical sociopaths.

There is one issue that has been overlooked. His user credentials were never disabled before he was fired. The real problem is the sloppy security procedures followed when an employee leaves the company for any reason. Yes, he should not have shared his credentials with anyone; what charge is appropriate is debatable. But if no one disables his accounts after he has left then they certainly deserve blame for serious incompetence or criminal stupidity. Not disabling all his credentials is the same as not getting any key he might have had or any other company property he had.

One should be concerned about the lax policies because the obvious question is where else is their security procedures sloppy. Credit card numbers, employee social security numbers, direct deposit information should be considered as good as on the net somewhere.

Will this be Aaron Shwartz part deux? Seriously for a website defacing for 30 minutes where literally no harm came to pass, a 250k fine and 10 years in prison. These laws are outrageous.

I could understand a fine of a few grand.

I would be surprised were he to get more than a few grand in fines, court costs, probation, and probably time served, if any. Of course, his legal fees will likely be more than what he is fined, but that's America for you. Maximum sentences are rarely given out for situations like this, although it's not impossible.

Maybe one day "a jury of our peers" will actually mean people qualified to comprehend the subject matter and legal issues. Until then, "rarely" is good enough for me to start singing "Oh, Canada!". Why anyone would play the odds with a justice system that has proven repeatedly that it cannot be trusted is beyond me. If your roll of the dice comes up wrong, well, it's too fucking late now. Has everyone forgotten Mitnick's ordeal? Or the West Memphis Three (for a non-tech example)? Fear born of ignorance widespread among the paranoid and powerful is a bad combination. I'm surprised it hasn't already led to the US having the largest prison population on the planet. Oh wait.....

For instance, if the web site is compromised, and the web site in any way handles credit card data (there is a subscribe link at the top of the latimes.com site), that entire system, top to bottom - which most likely includes not only the servers in the web farm, but also the database servers, the payment servers, the logging servers, and workstations of any employees who touched the systems, etc. - to ensure that credit card data was not accessed, and if it was, what data was accessed and who needs to be notified of the data compromise. All hosts are checked to ensure no trojans were left behind, which often is best done by rebuilding from scratch. And of course, whatever compromise was used (even a known password) has to be fixed.

Even without a further compromise than the single article on the website, the cost of the investigation and remediation could be well over $10,000 simply to to make sure that's all that happened.

In this particular case, I'll eat my shoe if the LA Times actually did that. You're describing how a firm that already follows best practices (and funds that) would respond. I'm sure in your line of work, these are probably the type of companies you deal with. But there's a whole world that eclipses those who take security seriously, and what you describe is just foreign to the whole dotcom devops model.

If you need proof, bear in mind that this hack tells us:

-The security policy (if there was one) did not involve revoking credentials when an employee left-You could login to the LA Times CMS as a content editor (and perhaps more) from a random IP on the internet (tip for Anonymous: maybe brute-force guessing will get you into other newspapers, and if it doesn't you might get the lesser prize of locking out all their writers as their accounts are automatically disabled after X login attempts)

If those two things are indeed true, does that really sound like a company that is going to spend the time and money doing much beyond disabling the ngarcia account?

Will this be Aaron Shwartz part deux? Seriously for a website defacing for 30 minutes where literally no harm came to pass, a 250k fine and 10 years in prison. These laws are outrageous.

I could understand a fine of a few grand.

I would be surprised were he to get more than a few grand in fines, court costs, probation, and probably time served, if any. Of course, his legal fees will likely be more than what he is fined, but that's America for you. Maximum sentences are rarely given out for situations like this, although it's not impossible.

Maybe one day "a jury of our peers" will actually mean people qualified to comprehend the subject matter and legal issues. Until then, "rarely" is good enough for me to start singing "Oh, Canada!". Why anyone would play the odds with a justice system that has proven repeatedly that it cannot be trusted is beyond me. If your roll of the dice comes up wrong, well, it's too fucking late now. Has everyone forgotten Mitnick's ordeal? Or the West Memphis Three (for a non-tech example)? Fear born of ignorance widespread among the paranoid and powerful is a bad combination. I'm surprised it hasn't already led to the US having the largest prison population on the planet. Oh wait.....

People are worried about the sentence he may receive. That's nothing compared to the personal damage he's done to himself. Can anyone say 'career suicide'. I suspect that if he's found guilty he'll loose his job and find getting a similar job impossible.

Its sad to see some one, who is probably a bright kid, do something that will haunt him for the rest of his life.

Will this be Aaron Shwartz part deux? Seriously for a website defacing for 30 minutes where literally no harm came to pass, a 250k fine and 10 years in prison. These laws are outrageous.

I could understand a fine of a few grand.

I would be surprised were he to get more than a few grand in fines, court costs, probation, and probably time served, if any. Of course, his legal fees will likely be more than what he is fined, but that's America for you. Maximum sentences are rarely given out for situations like this, although it's not impossible.

Maybe one day "a jury of our peers" will actually mean people qualified to comprehend the subject matter and legal issues. Until then, "rarely" is good enough for me to start singing "Oh, Canada!". Why anyone would play the odds with a justice system that has proven repeatedly that it cannot be trusted is beyond me. If your roll of the dice comes up wrong, well, it's too fucking late now. Has everyone forgotten Mitnick's ordeal? Or the West Memphis Three (for a non-tech example)? Fear born of ignorance widespread among the paranoid and powerful is a bad combination. I'm surprised it hasn't already led to the US having the largest prison population on the planet. Oh wait.....

Many of my friends, who are lawyers, suggest that if you're innocent ask for a trial by judge. If you're guilty then ask for trial by jury. Jury's are often made up of individuals that don't understand the scope of the situation. Often they get it wrong.

I might be wrong but he wasn't working for the Tribune company when he provided the credentials(?). If that was the case, is he still obligated to keep his credentials private since they should have been disabled immediately after he left employment?

Obviously, its a very different story if he still worked for the company.

-The security policy (if there was one) did not involve revoking credentials when an employee left-You could login to the LA Times CMS as a content editor (and perhaps more) from a random IP on the internet (tip for Anonymous: maybe brute-force guessing will get you into other newspapers, and if it doesn't you might get the lesser prize of locking out all their writers as their accounts are automatically disabled after X login attempts)

Try again, other reports have included more information. Keys wasn't fired from Times, he was fired from a Fox affiliate station

Quote:

According to the indictment, which is embedded below, Keys connected with Anonymous hackers soon after being terminated by the Sacramento television station KTXS-Fox 40, where he worked as a web producer. In December 2010, in an online forum used by Anonymous, Keys, under the username AESCracked, allegedly shared a username and password that he told them would allow them to access the content management system of Fox 40 and the Times.A Reporter's Indictment In The Dark World Of Hackers And Anonymous Parmy Olson Parmy Olson Forbes StaffU.S. Government Twitter Accounts: Just As Vulnerable To Hacking As Burger King's Alex Kantrowitz Alex Kantrowitz Contributor

One hacker, operating under the screen name Sharpie, told Keys he “had a whole front page layout made for the chicago tribune” but “there [sic] sysadmins were good” and quickly shut down his access. Keys allegedly attempted to get Sharpie back into the system but was unable.

It's an online system for affiliates to use. That it is available over the internet is very common. Also, per the hacker, the sysadmins locked him out very quickly, which indicates they have some sort of focus on security.

If you want to believe that there were no damages done, or that the security was pis poor, or whatever, fine. The point was to illustrate that the cost of a web site vandalism is not comparable to physical vandalism. Many people seem to be overlooking that to focus on minutia that distracts from the false comparisons.

"Social media editor?" I look forward to the day when I don't ever have to see a business title like that.

Eh...it's just a more specific version of "PR Specialist" or "Media Coordinator". Sometimes job titles refer to the specific area you work in (in this case, the PR guy who helped to manage their online presence).

I know we're supposed to scoff at all the attention paid to social media but online forums and communication services are a large part of business today and they hire staff to cover those things.

Maybe one day "a jury of our peers" will actually mean people qualified to comprehend the subject matter and legal issues.

You have a right to a jury trial. There's nothing about a "jury of your peers" in the constitution. Just a jury.

And why do you have the curious belief that a jury's finding of guilty is only based on them not comprehending the law or legal issues. I'm pretty sure they understand both; they just don't buy the idea that certain kinds of hacking are harmless.

Quote:

Until then, "rarely" is good enough for me to start singing "Oh, Canada!". Why anyone would play the odds with a justice system that has proven repeatedly that it cannot be trusted is beyond me. If your roll of the dice comes up wrong, well, it's too fucking late now. Has everyone forgotten Mitnick's ordeal? Or the West Memphis Three (for a non-tech example)?

The justice system has not proven "repeatedly" that it can't be trusted. Although occasionally it reaches the wrong result - but it's a pretty tiny number out of the more than 2 million criminal cases filed every year.

I don't particularly think that Kevin Mitnick was treated unfairly at all. Why do you? The west Memphis three may have been not guilty, however. But if you can show 20,000 wrongful convictions every year, you've demonstrated a 1% error rate (and that's not accounting for the appellate error-correcting process, as used in the WM 3 case.)

Quote:

Fear born of ignorance widespread among the paranoid and powerful is a bad combination. I'm surprised it hasn't already led to the US having the largest prison population on the planet. Oh wait.....

And while I'm not a fan of the US prison system, you can't ignore the significant fact that the US has a hell of a lot more crime than other developed countries, which is the largest contributor to the prison population. There are about 12,000 murders in the US every year. Germany, France, and the UK each have about 700 murders per year.